This topic is a bit of a departure from our normal advice. But we’ve run into this at such an increasingly alarming rate that we feel a duty to share some of what we’ve been learning.
While there are thousands of examples from around the world that could be used to emphasize the threat, consider these two of the several actual examples we’ve encountered in the last year:
1. A lead accountant gets an email from the owner of a business with instructions to set up a payment to a particular vendor. The email is from the email owner’s email address and written in the same tone the owner often uses with this person. The business owner has sent numerous email requests before to set up payment for various things and they have all been authentic. Except this time the email is not from the owner. The wiring instruction are to the account of a thief and the fraud is very difficult to detect. The thief has had access to one or both email accounts for some time, has been learning the relationship between the two individuals, and the language they use with each other. This allows a very convincing email to be written.
2. Several employees of a company receive an email from a co-worker explaining that an attached file contains specific steps needed to complete a work-related task. Each employee opens the file and is a bit confused when nothing seems to happen. What each employee doesn’t yet know is that that attachment was actually a malicious file which installed a keystroke logger on each of their computers. Going forward as each of them logs into company applications or personal social media and banking applications this file is sending records of each key typed back to someone who will later use this login information for malicious purposes. The hacker likely got into the original employee’s email because that person fell victim to the very same trick by clicking on an attachment or link from someone else.
All the encryption in the world can’t defend against weak passwords.
While cybersecurity for a business is a deeper topic that deserves much more attention than this short post, some simple tips can make us all much more difficult targets.
1) Establish a policy that no payments are ever made solely with email authorization. Even if the email is from someone who has the authority to approve such a transaction, verbal or other verification must happen as well.
2) Give your employees training on how to spot phishing attempts and establish a policy of not clicking links or opening attachments from others unless they are familiar and expected.
3) Turn on two-factor authentication for corporate email and applications. Here is some additional guidance from Microsoft and Google.
4) Require strong passwords for each employee that isn’t recycled from another application. Because passwords are so difficult to remember, a vary large percentage of people end up using either the same of very similar passwords for nearly everything they log into. Not if but when one of those applications get breached, hackers now are in possession of the passwords for nearly everything in the person’s life. And if one of those things is a login to your email or ERP system, the hackers now have access to that too. All the encryption in the world can’t defend against weak passwords. You can check if your email address has been part of a breach here (Your IT company should be able to do a password audit for you and set your company’s password policies to allow only strong passwords. A zero knowledge encrypted online password manager such as Bitwarden can not only help you keep track of your hundreds of passwords but also generate random strong new ones for you.
5) Consider using a corporate email platform other than the traditional Microsoft and Google platforms. Because of the popularity of these tech giants they are also frequent targets of attacks such as this one and this one. While there will be a trade-off in terms of convenient features that integrate into other applications, there are very secure email platforms out there that offer better protection. Whichever way you choose, it should be an informed decision.
6) Instead of the traditional file sharing programs like onedrive or dropbox which also have had hacking problems which you can read about here and here, consider a more secure alternative. At Emerge Dynamics we use an encrypted, zero knowledge online storage provider that is much less susceptible to attacks as a means of keeping our data and our client's data very safe.
We hope this brings awareness to an increasing threat to small businesses and gives you some simple tools for protecting you and your organization. While anyone in your organization can be a target, Presidents, CFOs, Controllers and AP managers are the most targeted because of their ability to process or approve payments. Depending on the nature and size of your business you may have more extensive needs and we’d be happy to discuss them with you.